The lowest hanging card

The latest news on six second card hacking is very entertaining, and frankly, not reassuring. This thing is just as simple that it is stupid. The CVV2/CVC2 is a secret number computed by banks using a secret key, so they are validated by the issuing bank. Apparently, most (all?) of them have chosen not to count failed validation attempts from different sources. So, once you obtain raw card data (with no CVV2), you only need one attempt on 1000 sites to find the 3-digit value (it gets worse, read a few articles on this).

So, until some “velocity checks” (counters) are added to CVV2 validators, this is the lowest hanging card. The funny thing is that, since it only takes 6 seconds, changing the CVV every hour doesn’t really work, here, so the new Motion Code is not a good countermeasure.

Smart card hardliners will tell you that this isn’t a smart card issue. Sure, but it’s related, mostly because however high, there is always a lowest hanging card. Smart cards (with EMV) have been quite efficient at curbing card-present fraud, because the chip computes a dynamic verification code for every transaction. During the EMV rollout, fraud was taking place in countries where smart cards were not used. As this rollout is getting closer to completion, this opportunity is slowly going away.

The new lowest hanging fruit is online transactions. EMV doesn’t work online, mostly because all attempts to introduce card readers on normal PC’s have failed, so our smart cards are useless here. And because consumers haven’t been used to use their cards’ chips during online transactions, they won’t do it on mobile transactions either.

Sadly, commerce is moving online these days, so it is not good news to find the lowest hanging fruit there. The CVV2 check will be fixed, and more merchants will use 2-channel verification methods like “Verified by Visa”. Then, it is not obvious to know what will be the new lowest hanging fruit.

One solution is to use mobile payment, which offers a much better security these days. It works for in-person payments, and it is starting to work for online payments made on phones. I haven’t seen mobile payment used for to verify online transactions not made on a phone, but this would be very easy to do.